Improve databricks_grants error messages (databricks#1888)

michael-berk · Jan 4, 2023 · 61f61ca · 61f61ca
1 parent 4de3700
commit 61f61ca
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 1 deletion.
diff --git a/catalog/resource_grants.go b/catalog/resource_grants.go
@@ -154,6 +154,10 @@ func (sm securableMapping) validate(d attributeGetter, pl PermissionsList) error
 	for _, v := range pl.Assignments {
 		for _, priv := range v.Privileges {
 			if !allowed[strings.ToUpper(priv)] {
+				// check if user uses spaces instead of underscores
+				if allowed[strings.ReplaceAll(priv, " ", "_")] {
+					return fmt.Errorf(`%s is not allowed on %s. Did you mean %s?`, priv, securable, strings.ReplaceAll(priv, " ", "_"))
+				}
 				return fmt.Errorf(`%s is not allowed on %s`, priv, securable)
 			}
 		}

diff --git a/catalog/resource_grants_test.go b/catalog/resource_grants_test.go
@@ -347,3 +347,27 @@ func TestShareGrantUpdate(t *testing.T) {
 		}`,
 	}.ApplyNoError(t)
 }
+
+func TestPrivilegeWithSpace(t *testing.T) {
+	d := data{"table": "me"}
+	err := mapping.validate(d, PermissionsList{
+		Assignments: []PrivilegeAssignment{
+			{
+				Principal:  "me",
+				Privileges: []string{"ALL PRIVILEGES"},
+			},
+		},
+	})
+	assert.EqualError(t, err, "ALL PRIVILEGES is not allowed on table. Did you mean ALL_PRIVILEGES?")
+
+	d = data{"external_location": "me"}
+	err = mapping.validate(d, PermissionsList{
+		Assignments: []PrivilegeAssignment{
+			{
+				Principal:  "me",
+				Privileges: []string{"CREATE TABLE"},
+			},
+		},
+	})
+	assert.EqualError(t, err, "CREATE TABLE is not allowed on external_location. Did you mean CREATE_TABLE?")
+}
diff --git a/docs/resources/grants.md b/docs/resources/grants.md
@@ -33,7 +33,7 @@ Terraform will handle any configuration drift on every `terraform apply` run, ev
 
 It is required to define all permissions for a securable in a single resource, otherwise Terraform cannot guarantee config drift prevention.
 
-Below summarizes which privilege types apply to each securable object in the catalog:
+Unlike the [SQL specification](https://docs.databricks.com/sql/language-manual/sql-ref-privileges.html#privilege-types), all privileges to be written with underscore instead of space, e.g. `CREATE_TABLE` and not `CREATE TABLE`. Below summarizes which privilege types apply to each securable object in the catalog:
 
 ## Metastore grants